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Abstract 

We present an abstraction and refinement methodology for the automated controller synthesis to enforce 
general predefined specifications. The designed controllers require quantized (or symbolic) state information 
only and can be interfaced with the system via a static quantizer. Both features are particularly important 
with regard to any practical implementation of the designed controllers and, as we prove, are characterized 
by the existence of a feedback refinement relation between plant and abstraction. Feedback refinement 
relations are a novel concept introduced in this paper. Our work builds on a general notion of system 
with set-valued dynamics and possibly non-deterministic quantizers to permit the synthesis of controllers 
that robustly, and provably, enforce the specification in the presence of various types of uncertainties and 
disturbances. We identify a class of abstractions that is canonical in a well-defined sense, and provide a 
method to efficiently compute canonical abstractions. We demonstrate the practicality of our approach on 
two examples. 


Index Terms 

Discrete abstraction, symbolic model, nonlinear system, symbolic control, automated synthesis, robust 
synthesis; MSG: Primary, 93B51; Secondary, 93B52, 93C10, 93C30, 93C55, 93C57, 93C65 


I. Introduction 

A common approach to engineer reliable, robust, high-integrity hardware and software systems 
that are deployable in safety-critical environments, is the application of formal verification techniques 
to ensure the correct, error-free implementation of some given formal specifications. Typically, the 
verification phase is executed as a distinct step after the design phase, e.g. [1]. In case that the system 
fails to satisfy the specification, it is the engineer’s burden to identify the fault, adjust the system 
accordingly and return to the verification phase. A more appealing approach, especially in the context 
of intricate, complex dynamical systems, is to merge the design and verification phase and utilize 
automated correct-by-construction formal synthesis procedures, e.g. [2]. In our treatment of controller 
design problems we follow the latter approach. That is, given a mathematical system description and 
a formal specification which expresses the desired system behavior, we seek to synthesize a controller 
that provably enforces the specification on the system. Subsequently, we often refer to the system 
that is to be controlled as the plant. 

For finite systems, which are described by transition systems with finite state, input and output 
alphabets, there exist a number of automata-theoretic schemes, known under the label of reactive 
synthesis, to algorithmically synthesize controllers that enforce complex specifications, possibly for¬ 
mulated in some temporal logic, see e.g. [2]-[6]. 

Those methods have been extended to infinite systems within an abstraction and refinement 
framework, e.g. [2], [7]-[20], which roughly proceeds in three steps. In the first step, the concrete 
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infinite system (together with the specihcation) is lifted to an abstract domain where it is substituted 
by a hnite system, which is often referred to as abstraction or symbolic model. In the second step, an 
auxiliary problem on the abstract domain (“abstract problem”) is solved using one of the previously 
mentioned methods for hnite systems. In the third step, the controller that has been synthesized for 
the abstraction is rehned to the concrete system. 

The correctness of this controller design concept is usually ensured by relating the concrete system 
with its abstraction in terms of a system relation. The most common approaches are based on 
(alternating) (bi-)simulation relations and approximate variants thereof [2]. In this work, we address 
two shortcomings of the abstraction and rehnement process based on simulation relations and related 
concepts. The hrst shortcoming, which we refer to as the state information issue, results from the 
fact that the rehned controller requires the exact state information of the concrete system. However, 
usually, the exact state is not known and only quantized (or symbolic) state information is available, 
which constitutes a major obstacle to the practical implementation of the synthesized controllers. 
The second issue refers to the huge amount of dynamics added to the abstract controller in the course 
of its rehnement, so that, ehectively, the rehned controller contains the abstraction as a building 
block. Given the fact that an abstraction may very well comprise millions of states and billions of 
transitions [7], [14], an implementation of the rehned controller is often too expensive to be practical. 
We refer to this problem as the refinement complexity issue. We illustrate both issues by examples 
in Section IV. See also [21]. 

In this paper, we propose a novel notion of system relation, termed feedback refinement relation, to 
resolve both issues. If the concrete system is related with the abstraction via a feedback rehnement 
relation, then, as we shall show, the abstract controller can be connected to the plant via a static 
quantizer only, irrespective of the particular specihcation we seek to enforce on the plant. See Fig. 1. 
Moreover, the existence of a feedback rehnement relation between plant and abstraction is not only 



Figure 1. Closed loop resulting from the abstraction and refinement approach based on feedback refinement relations, proposed 
in this paper. 

sufficient to ensure the simple structure of the closed loop in Fig. 1, but in fact also necessary. 

Our work builds on a general notion of system with set-valued dynamics and possibly non-deterministic 
quantizers. This is particularly useful to model various types of disturbances, including plant uncer¬ 
tainties, input disturbances and state measurement errors. We demonstrate how to account for those 
perturbations in our framework so that the synthesized controllers robustly enforce the specihcation. 

In general, abstractions over-approximate the plant behavior, and so their practical use will depend 
on the accuracy of the approximation that can be achieved by actual computational methods; see 
the discussion in [7, Sect. I]. In this regard, we show that the set membership relation together 
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with an abstraction whose state alphabet is a cover of the concrete state alphabet is canonical in a 
well-dehned sense, and provide a method to compute canonical abstractions of perturbed nonlinear 
sampled systems. The practicality of the approach is demonstrated on two examples - a path planning 
problem for an autonomous vehicle and an aircraft landing maneuver. 

Related Work. Feedback rehnement relations are based on the common principle of “accepting 
more inputs and generating fewer outputs” that is often encountered in component-based design 
methodologies, e.g. contract-based design [22] and interface theories [23]. Those theories are usually 
developed in a purely behavioral setting, see e.g. [19], [22], [23], and are therefore not immediately 
applicable in our framework which is based on stateful systems. This class of systems contains a great 
variety of system descriptions, including common models like transition systems [2], [24] as well as 
discrete-time control systems [25]. 

There exist a number of abstraction-based controller synthesis methods, based on stateful systems, 
that do not suffer from the state information issue nor from the rehnement complexity issue [7]- 
[13]. However, none of those approaches offers necessary and sufficient conditions for the controller 
rehnement procedure to be free of the mentioned issues. In addition, the majority of these works 
are tailored to certain types of specihcations or systems. Specihcally, simple safety and reachability 
problems are considered in [10], [12] and [7]-[10], respectively, while [10]-[12] is limited to piecewise 
affine, incrementally stable, and simple integrator dynamics, respectively. Moreover, plants are as¬ 
sumed to be non-blocking in [7]-[13]. In contrast, our framework covers stateful systems with general, 
set-valued dynamics, including transitions systems and discrete-time control systems as special cases. 
We allow systems to be blocking, and any linear time property can serve as a specihcation. 

A class of methods known under the label of hierarchical control are similar in spirit to abstraction- 
based methods in that they synthesize discrete controllers using hnite-state models derived from 
concrete control problems, e.g. [26]-[28]. However, the hnite-state models in [27], [28] are not 
abstractions in the usual sense, in that they approximate the behavior of an interconnection of the 
plant with low-level controllers, rather than the behavior of the plant itself. In [26] one is required 
to derive a quantizer in accordance with the exact plant dynamics, and to verify rather complex 
system properties. Moreover, those hierarchical schemes require exact state information or, in the 
case of linear output feedback [29], require exact output information, and are unable to account 
for quantized or perturbed measurements. Additionally, for general nonlinear plants, all of the 
aforementioned approaches require the synthesis of low-level controllers to enforce a high-level plan, 
which is considered as an open problem [30] and current solutions exist only for rather restrictive 
classes of systems [29], [31], [32]. In contrast, the rehnement step in our approach is completely 
independent of the plant dynamics and does not involve the design of low-level controllers. 

For any of the aforementioned approaches, often a lack of robustness further restricts the appli¬ 
cability of the methods. For example, [9]-[ll] do not cover uncertainties in plant dynamics, while 
in [8], [10], [11], [26]-[28] the quantizer is assumed to be deterministic which mandates the state 
measurement to be precise, without any error; see Section VI-B. 

Similarly to our work, the synthesis scheme in [13] introduces a novel system relation. However, 
in contrast to the theory in [13], feedback rehnement relations do not rely on a metric of the state 
alphabet, which is crucial in establishing the necessity as well as the canonicity result. Likewise, the 
authors of [13] consider perturbations, but assume that the ehect of these perturbations is given as 
level sets of a metric. 

In addition to a general synthesis framework, we present a method to construct abstractions of 
perturbed nonlinear control systems. The abstractions are based on a cover of the state alphabet by 
non-empty compact hyper-intervals and the over-approximation of attainable sets of those hyper¬ 
intervals under the system dynamics. While the use of attainable sets for the construction of 
abstractions is a well-known concept [7], [8], [14], [15], none of the aforementioned works accounts 
for uncertainties or perturbations. Moreover, while our method to over-approximate attainable sets 
is similar to those in [14], [15] in that it is based on a growth bound, we present several extensions 
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that render the approach more efficient. 

To summarize, our contribution is threefold. First, we introduce feedback refinement relations as 
a novel means to synthesize symbolic controllers. We show that feedback rehnement relations are 
necessary and sufficient for the controller rehnement that solves the state information issue and the 
rehnement complexity issue. Our theory applies to a more general class of synthesis problems than 
previous research that addresses the mentioned issues, and in particular, any linear time property 
can serve as a specihcation. Second, our work permits the synthesis of controllers that robustly, and 
provably, enforce the specihcation in presence of various uncertainties and disturbances. Third, we 
identify a class of canonical abstractions and present a method to compute such abstractions. Our 
construction improves known methods in several directions and thereby, as we demonstrate by some 
numerical examples, facilitates a more efficient computation of abstractions of perturbed nonlinear 
control systems. 

Some of the results we present have been announced in [21]. 

II. Notation 

The relative complement of the set A in the set B is denoted by 5 \ A. M, M+, Z and Z_|_ denote 
the sets of real numbers, non-negative real numbers, integers and non-negative integers, respectively, 
and N = Z+ \ {0}. We adopt the convention that ±cx) + x = iLoo for any a; G M. [a, 6], ]a, 6[, [a, 6[, 
and ]a,&] denote closed, open and half-open, respectively, intervals with end points a and b. [a; 6], 
]a; b[, [a; b[, and ]a; b] stand for discrete intervals, e.g. [a; b] = [a, 6] fl Z and [0; 0[ = 0. 

In M"", the relations <, <, >, > are dehned component-wise, e.g. a < 6 ih Oj < for all i G [l;n]. 

f: A ^ B denotes a set-valued map of A into 5, whereas f: A ^ B denotes an ordinary map; 
see [33]. If / is set-valued, then / is striet and single-valued if /(a) ^ 0 and /(a) is a singleton, 
respectively, for every a. The restriction of / to a subset M G A is denoted /|m- Throughout the 
text, we denote the identity map X —)■ X: a; i—)■ a; by id. The domain of dehnition X will always be 
clear form the context. 

We identify set-valued maps f: A ^ B with binary relations on A x B, i.e., (a, 6) G / iff 6 G /(a). 
Moreover, if / is single-valued, it is identihed with an ordinary map /: A ^ B. The inverse mapping 
f~^: B ^ A is defined by f~^{b) = {a E A\b E /(«)}, and fog denotes the composition of / and g, 
{f°9){x) = fidix)). 

The set of maps A ^ B is denoted B^, and the set of all signals that take their values in B and 
are defined on intervals of the form [0;T[ is denoted 5°°, B°^ = UTez+u{oo} 

III. Plants, Controllers, and Closed Loops 

A. Systems 

We consider dynamical systems of the form 

x{t + l) E F{x{t),u{t)) 
yit) E H{x{t),u{t)). 

The motivation to use a set-valued transition function F and a set-valued output function H in 
our system description, originates from the desire to describe disturbances and other kinds of non¬ 
determinism in a unihed and concise manner. This description is also sufficiently expressive to model 
the plant and the controller, but unfortunately leads to subtle issues with interconnected systems. 
Consider e.g. the serial composition in Fig. 2, where F]: Xj x Cj ^ Xj, Xi = Ci = {0}, X 2 = U 2 = 
{0,1}, X 2 = { 0 -, b, c}, Fi(0, 0) = {0}, Hi{0, 0) = U 2 , and F 2 and H 2 : X 2 XU 2 ^ Y 2 are given as follows: 
-^ 2 ( 1 , 0 ) = ^ 2 ( 0 ,1) = {0}, F 2 ( 0 , 0 ) = F 2 ( 1 , 1) = {!}, ^ 2 ( 0 , 0 ) = H 2 { 1 , 0 ) = {a}, ^ 2 ( 0 ,1) = {b}, and 
7 ^ 2 ( 1 ,1) = {c}. To recover the behavior at the terminals ui and 1/2 with a system of the form (1), we 
let X = Xi X X 2 , F: X xUi ^ X and H: X x Ui ^ Y 2 . As 1^2 contains more elements than X xUi, 
which can all appear in 1 / 2 , the map H must be multi-valued, which in turn implies that the following 
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property of the composed system in Fig. 2 cannot be retained: Between any two appearances of b in 
y 2 there are an even number of a’s, and between any appearance of b and any appearance of c there 
are an odd number of a’s. 

It follows that the class of systems of the form (1) is not closed under interconnection, given the 
natural constraint that the state alphabet of the composed system equals the product of the state 
alphabets of the individual systems. To circumvent this problem we consider a slightly more general 



I_j I_j 


Figure 2. Serial composition of two dynamical systems of the form (1). The symbol jj denotes a delay, 
form of system dynamics given by 

a;(t + 1) G F(a;(t),n(t)), (2a) 

e H{x{t),u{t)), (2b) 

where v is an internal variable. We formalize the notion of system as follows. 

III.l Definition. A system is a septuple 

S={X,X,,U,V,Y,F,H), (3) 

where X, Xq, U, V and Y are nonempty sets, Xq Y X, H: X xU z^YxV is striet, and F: X xV ^ 

X. 

A quadruple {u,v,x,y) e x x x is a solution of the system (3) (on [0;T[, 

starting at x{fS)) if T G N U {cxd}, (2a) holds for all t E [0;T — 1[, (2b) holds for all t G [0;T[, and 
a;(0) G Xq. 

The internal variables allow us to introduce the constraint U 2 = yi imposed by the composition 
in Fig. 2 and recover the behavior of the serial composed system with a system of the form (3) given by 
X = Xo = {0,1}, U = {0}, V = Y = {a, b, c} with F(0, a) = F{1, c) = {!}, F(l, a) = F(0, b) = {0} 
and H{0, 0) = {(a, a), {b, b)}, H{1, 0) = {(a, a), (c, c)}. 

We call the sets X, Xq, U, V, and Y the state, initial state, input, internal variable, and output 
alphabet, respectively. The functions F and H are, respectively, the transition funetion and the output 
funetion of (3). We call the system (3) 

(i) autonomous if is a singleton; 

(ii) statie if X is a singleton; 

(hi) Moore if the output does not depend on the input, i.e., (y, w) G H{x,u) Au' E U 3„/(f/,n') G 
H{x,u')-, ^ 

(iv) simple, if U = V, X = Y, H = id, and all states are admissible as initial states, i.e., X = Xq. 

We assume throughout that the plant is given by a simple system, which restricts our theory to 
that class of plants. 

B. System composition 

In the following, we dehne the serial and feedback composition of two systems. We start with the 
serial composition. 


^The notation 3^^ reads as “there exists s such that the statement A holds”. 
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111 .2 Definition. Let Si = (Xj, Ui, Vi, Yi, Fi, Hi) be systems, i G { 1 , 2 }, and assume that Yi FU2. 
Then Si is serial composable with S2, and the serial composition of Si and S2, denoted S2 o Si, is the 
septuple 

(Xi2,Xi,o X X 2 ^o,Ui,Vi 2 ,Y 2 ,Fi 2 ,Hi 2 ), 

where X 12 = Xi x X 2 , Vu = Vi x V 2 , Fu : X 12 x Vu =4 X 12 and Hu: Xu x Ih ^ Y2 x Vu satisfy 
Fu{x,v) = Fi{xi,Vi) X F2 {x2,V2), 

Hu{x,ui) = {{y2,v) I e Hi{xi,ui) A (1/2X2) e H2{x2,yi)}. 

We readily see that the output function Hu is strict which implies that S 2 o S'! is a system. We use 
the serial composition mainly to describe the interconnection of an input quantizer Q: U' ^ U or a 
state quantizer Q\ X ^ X' with a system S of the form (3). We assume that Q is strict and interpret 
the quantizer as a static system with strict transition function. Suppose that U' is a non-empty set, 
then the serial composition S o Q oi Q and S is defined by 

SoQ = (X,Xii,U',V,Y,F,H'), 

where H': X x U' ^ Y x V takes the form H\x,u') = H{x,Q{u')). Now suppose that S is simple, 
then we may interpret Q: X X X' as a measurement map that yields a quantized version of the state 
of the system S. This situation is modeled by the serial composition Q o S oi S and Q, 

QoS={X,X,U,U,X',F,H'), 

where H' takes the form H\x,u) = Q{x) x {«}. 

We turn our attention to the feedback composition of two systems as illustrated in Fig. 3. 

111 .3 Definition. Let Si = {Xi, Xi^o,Ui,Vi,Yi, Fi, Hi) be systems, i G { 1 , 2 }, and assume that S2 is 
Moore, Y2 C Lf^ and Yi C U2, and that the following condition holds: 

(Z) If {y2,V2) G H2{x2,yi), {yi,vi) G Hi{xi,y2) and F2{x2,V2) = 0, then Fi{xi,vi) = 0. 

Then Si is feedback composable with S2, and the closed loop composed of Si and S2, denoted Si x S2, 
is the septuple 

(Xi 2 ,Xi,o X X2,o,{0}, W 2 ,n 2 ,i"l 2 ,hri 2 ), 

where X 12 = Xi x X 2 , Vu = Vi x V2, Yu = Yi x Y2, and Fu ■ Xu x Vu =1 X 12 and Hu '■ Xu x {0} X 
Yu X Vu satisfy 


Fu{x,v) = Fi{xi,Vi) X F2 {x2,V2), 

Hu{x, 0 ) = {{y,v)\{yi,vi) G Hi{xi,y2) A (//2X2) e H2{x2,yi)}. 



Figure 3 . Closed loop x S2 of systems Si and S2 according to Definition III. 3 , in which the system S2 is required to be Moore. 











Reissig, Weber, and Rungger 


Feedback Refinement Relations for the Synthesis of Symbolic Controllers 


7 


The requirement (Z), which has its analog in the theory developed in [2], is particularly important 
and will be needed later to ensure that if the concrete closed loop is non-blocking, then so is the 
abstract closed loop. The assumption that S 2 is additionally Moore is common [34] and ensures that 
the closed loop does not contain a delay free cycle. We emphasize that we avoid the assumption that 
the controller is allowed to set the initial state of the plant, as appears e.g. in [2]. 

We conclude this section with a proposition that we use in several proofs throughout the paper. 

III.4 Proposition. Let Si be feedbaek composable with S 2 , and let T G N U {cxd}. Then the closed 
loop Si X S 2 is an autonomous Moore system, and {0,v,x,y) is a solution of Si x S 2 on [0;T[ iff 
{y 2 ,Vi,Xi,yi) is a solution of Si on [0;T[ and {yi,V 2 ,X 2 ,y 2 ) is a solution of S 2 on [0;T[. 

Proof. We claim that H 12 is strict. Indeed, assume that x G X 12 and a G W- Since Hi and H 2 are 
both strict, there exist ( 1 / 2 , &) G H2{x2,a) and {yi,vi) G Hi{xi,y2). Then there exists V2 satisfying 
( 1 / 2 W 2 ) £ hl 2 {x 2 ,yi) as S 2 is Moore, and so {y,v) G Hi2{x,0). This proves our claim. The remaining 
requirements in Dehnition III.l are clearly satished, which shows that Si x 5*2 is a system, and that 
system is autonomous, and hence, Moore. The claim on the solutions of Si x S 2 is straightforward 
to prove using Dehnitions III.l and III.3. □ 


IV. Motivation 

In this section, we provide two examples that demonstrate the state information issue and the 
rehnement complexity issue, which have led to the development of the novel notion of feedback 
rehnement relation. Both examples show that the drawbacks do not depend on the specihc rehnement 
technique, but are intrinsic to the use of alternating (bi)simulation relations, bisimulation relations 
and their approximate variants. 

Let us consider two systems Si and S 2 and two controllers Ci and C 2 , 

'l ^ C, % ") C ? 0 7 ) "he % 7 b-d , L 2, hi 2)5 

in which we assume that the transition functions of the four systems are all strict, that Xi C V, and 
that Hi{x,u) = {(a;,M)} for all {x,u) E X^ x U. We readily see that the controller Ci is feedback 
composable with the system Si, i G {1,2}. Subsequently, we interpret Si as the concrete system and 
S 2 as its abstraction. 

Let Q G Xi X X 2 he a strict relation. Then Q is an alternating simulation relation from Si to S 2 
if the following holds for every pair {xi,X 2 ) G Q'. 

(ASR) If U 2 G U, then there exists Ui E U such that the condition 

0 7 ^ Q{x[) n F 2 (x 2 , U2) (4) 

holds for every G Fi{xi,Ui). 

Note that usually there is an additional condition on outputs of related states, which here would 
have required the notion of approximate rather than ordinary alternating simulation relation [2, 
Def. 9.6]. Since that subtlety is not essential to our discussion, we omit it here in favor of a clearer 
presentation. 

As already mentioned, alternating simulation relations are often used to prove the correctness of 
a particular abstraction-based controller design procedure. The very center of any such argument is 
the reproducibility of the system behavior of the concrete closed loop Ci x Si by the abstract closed 
loop C 2 X S 2 , i.e., for every solution ( 0 , Ui, (xeq, i/i) of Ci x Si on there exists a solution 
( 0 ,U 2 , (tc, 2 , 3 :^, 2 ), 1 / 2 ) of C 2 X S 2 on satisfying 

{xs,i{t),Xs^ 2 {t)) ^ Q for all t E Ij. 


(5) 
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This reproducibility property is then used to provide evidence that certain properties that the abstract 
closed loop C 2 X S 2 satishes, actually also hold for the concrete closed loop Ci x Si. 

In the first example, we show that (5) cannot hold if Ci attains state information only through 
Q, i.e., if Cl takes the form C[ o Q. In other words, the rehned controller cannot be symbolic but 
requires full state information. 

IV. 1 Example. We consider the systems Si and S 2 which we graphically illustrate by 



The input and output alphabets of Si and S 2 are given by 1/ = {0,1} and Y = {1, 2, 3}, respectively. 
The transition fnnctions should be clear from the illustration, e.g. Ei(2,1) = {1} and Fi{l,u) = {1} 
for any u E U. It is also easily verihed that the relation Q given hj Q = {(1,1), (2,3), (3,3)} is an 
alternating simnlation relation from Si to 5*2. 

Let the abstract controller C 2 be static with Xc ,2 = {0}, 14,2 = Y, and Tic, 2 ( 0 , 3) = {(0, 3)}, i.e., C 2 
enables exactly the control letter 0 at the abstract state 3. If the concrete controller Ci is symbolic, 
then, at the initial time, the sets of control letters enabled at the plant states 2 and 3 coincide. 
Indeed, these sets must only depend on the associated abstract states, and Q{2) = Q{3). In addition, 
by the symmetry of the plant ^i, we may assnme without loss of generality that the control letter 0 
is enabled at the initial time, so that there exists a solntion (0,ni, {xc,i,Xs,i),yi) of the closed loop 
Cl X Si satisfying a;5,i(0) = a;s,i(l) = 2. Then the condition ( 5 ) reqnires a;s,2(0) = a; 5 , 2 (l) = 3 to 
hold for some solntion ( 0 ,^ 2 , (a^cg, 2 : 5 , 2 ), I/ 2 ) of C 2 x 42 - a reqnirement that contradicts the dynamics 
of C 2 X 42. This shows that the property of reprodncibility cannot be attained using a symbolic 
controller for the plant 4i. The crucial point with this example is that the condition (ASR) cannot 
be satisfied if the choice of ui depends only on the abstract states associated with the plant state xi, 
bnt not directly on xi itself. □ 

In the next example we show that a static controller C 2 for the abstraction S 2 cannot be rehned to 
a static controller Ci for the concrete system 4i. 

IV.2 Example. We consider the systems 4i and S 2 with the transition fnnctions illustrated graphi¬ 
cally by 



The input alphabet and the ontpnt alphabet is given by = {0,1} and Y = {1, 2, 3,4}, respectively. 
It is easily verihed that the relation Q given hy Q = {(1,1), (2, 2), (2, 3), (4,4)} is an alternating 
simulation relation from 4i to 42. In addition, in this example the relation Q satishes even the more 
restrictive reqnirement that ui = U 2 holds in (ASR). 

Snppose that the abstract controller C 2 is static and enables exactly the control letters 0 and 1 at 
the abstract states 2 and 3, respectively. If the concrete controller Ci is static, then the set of control 
letters enabled at the plant state 2 does not vary with time. By the symmetry of the plant 4i, we may 
again assnme withont loss of generality that the control letter 0 is enabled at the state 2, so that there 
exists a solution (0,ui, {xc,i,Xs,i),yi) of the closed loop Ci x 4i satisfying a:5,i(0) = Xs,i{2) = 1. Then 
the condition (5) asks for a:5,2(0) = Xs,2{2) = 1 for some solntion (0,U2, ( 2 : 0 , 2 , 2 : 5 , 2 ), 1 / 2 ) of C 2 x 42 - a 
reqnirement that contradicts the dynamics of (42 x 42. This shows that the property of reprodncibility 
cannot be attained using a static controller for the plant 4i despite the fact that the abstract controller 
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is static. The crucial point with this example is that the condition (4) only mandates that for each 
transition from xi to x[ in Si there exists a state G Q{x[) that is a successor of X 2 in S 2 , but it 
is not reqnired that every X 2 G Q{x[) succeeds X 2 ; consider e.g. the case xi = X 2 = 1, x[ = x '2 = 2. 
As a result, the state 1 and 4 cannot precede the state 2 and 3, respectively, in 5*2, and so, implicitly, 
the static controller C 2 has some access to the history of the solution. In contrast, at the state 2 the 
dynamics of Si does not encode analogous information, which in fact could here only be provided by 
a controller for Si that is dynamic rather than static. □ 

As our examples show, alternating simnlation relations are not adeqnate for the controller rehne- 
ment, whenever i) the concrete controller has merely symbolic state information and ii) the complexity 
of the rehned controller should not exceed the complexity of the abstract controller. Moreover, we 
point out that in both examples the respective relation Q is not merely an alternating simnlation 
relation according to our dehnition in (ASR), bnt also an 1-approximate bisimnlation relation and 1- 
approximate alternating bisimnlation relation according to Dehnitions 9.5 and 9.8 in [2], respectively. 
Hence, the latter concepts also snffer from both issues described in this section. 

V. Feedback Refinement Relations 

In this section, we introduce feedback refinement relations as a novel means to compare systems in 
the context of controller synthesis, in which we focus on simple systems. 

A. Definition and basic properties 

We start by introducing the behavior of a system, where we follow the notion of infinitary completed 
trace semantics [35]. 

V.l Definition. Let S denote the system (3). The set B{S), 

B{S) = {{u, y)\3v^x,T{u, V, X, y) is a solution of S on [0;T[, 

and ifT< 00 , then F{x{T — l),v{T — 1)) = 0}, (6) 

is called the behavior of S. 

Note that it often occurs that a system is non-continuable for a certain state-input pair, e.g. the 
terminating state of a terminating program. With our notion of system behavior, which possibly 
consists of hnite signals as well as inhnite signals, snch signals are natnrally included as valid elements. 

In onr dehnition of system relation below, we need a notion of state dependent admissible inputs. 
For any simple system S of the form (3), we dehne the set Us{x) of admissible inputs at the state 
X E X hj 

Us{x) = {ueU\F{x,u) 

and the image of a subset hi C X under Us is denoted Us{Tl). 

V.2 Definition. Let Si and S 2 be simple systems, 

R, = (W,W,F„f/„W,F„id) (7) 

fori G {1,2}, and assume that U 2 FU 1 . A strict relation Q C Xi x X 2 is a feedback refinement relation 
from Si to S 2 if the following holds for all {xi,X 2 ) G Q: 

(i) Usfix 2 ) C Usfixi); 

(ii) u G Usfix 2 ) => Q{Fi{xi,u)) C F 2 {x 2 ,u). 

The fact that Q is a feedback rehnement relation from Si to S 2 will be denoted Si =4 q S 2 , and we 
write Si ^ S 2 if Si =^q S 2 holds for some Q. 
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Intuitively, and similarly to simulation relations and their variants, a feedback refinement relation 
from a system Si to a system S2 associates states of Si with states of S2, and imposes certain conditions 
on the local dynamics of the systems in the associated states. However, while e.g. alternating 
simulation relations only require that for each input U2 admissible for S2 there exists an associated 
input Ui admissible for Si [ 2 ], our dehnition above additionally mandates that Ui = U2- Moreover, 
the dehnition of (approximate) alternating simulation relation requires that for each transition from 
xi to x'l in Si there exists a state x '2 associated with x'^ and a transition from X 2 to x '2 in S 2 , see 
condition ( 4 ). In contrast, feedback rehnement relations require the existence of the latter transition 
for every state x '2 associated with Xp 

We next show that the relation is rehexive and transitive. 

V.3 Proposition. Let Si, S 2 and S3 be simple systems. Then: 

(a) Si Si. 

(b) If Si 4 q S2 and S2 S3, then 4 roq S3. 

Proof. Suppose that Si is of the form ( 7 ), i G { 1 , 2 , 3 }. The requirements in Def. V .2 are satished 
with Q = id. Si = S2 and xi = X2, which proves (a). To prove (b), assume that Si S2 ^r S3. 
Then RoQ is strict since both R and Q are so, and U3 Ui. Let (xi,0:3) E RoQ. Then there exists 
X2 E X2 satisfying {xi,X2) E Q and {x2,X3) E R. Thus, Us3{x3) C Us2{x2) C Usi{xi), and so the 
condition (i) in Def. V .2 is satished with RoQ and S3 in place of Q and S2, respectively. As for the 
condition (ii), additionally assume that u E Us3{x3). Then u E 7/52(3:2), and Si = 4 q S2 = 4 r S3 implies 
Q{Fi{xi,u)) C F2{x2,u) and R{F2{x2,u)) C F3{x3,u). Then R{Q{Fi{xi,u))) C F3{x3,u), and so 
Si = 4 roq S3. □ 


B. Feedback composability and behavioral inclusion 

In the following, we present the main result of this section. We consider three systems Si, S2 and C 
and assume that C is feedback composable with S2. We hrst prove that, given a feedback rehnement 
relation Q from Si to S2, Q o Si and Si are, respectively, feedback composable with C and C o Q. 
Subsequently, we show that the behavior of the closed loops C x {Q o Si) and {C oQ) x Si are both 
reproducible by the closed loop C x S2. 

Even though we do not assign any particular role to the systems Si, S2 and C, in foresight of the next 
section, where we use our result to develop abstraction-based solutions of general control problems, we 
might regard Si, S2 and C as the plant, the abstraction and controller for the abstraction, respectively. 
In this context, we might assume that the state of Si is accessible only through the measurement map 
Q. In that case, QoSi actually represents the system for which we seek a controller and the behavior 
oi B{C X {Q o Si)) is of interest. Alternatively, we may start with the premise that a controller for 
Si needs to be realizable on a digital device and hence, can accept only a hnite input alphabet. In 
that case, we may interpret Q as an input quantizer for the discrete controller C and the behavior 
of B{{C o Q) X Si) is of interest. In any case, we show that both behaviors are reproduced by the 
abstract closed loop C x S2. In the rest of the paper, we identify { 0 } x {U xY) with U xY m. the 
obvious way. 

V.4 Theorem. Let Q be a feedback refinement relation from the system Si to the system S2, and 
assume that the system C is feedback composable with S2. Then the following holds. 

(i) C is feedback composable with Q o Si, and C o Q is feedback composable with Si. 

(ii) B{C x{Qo Si)) C B{C X S2). 

(Hi) For every {u,xi) E B{{C o Q) x Ai) there exists a map X 2 such that {u,X 2 ) E B{C x S2) and 
{xi(t), X 2 (t)) E Q for all t in the domain of Xi. 

Proof. By our hypotheses. Si and S2 are simple, so we assume that these systems are of the form ( 7 ). 
Moreover, 

QoSi = {Xi,Xi,Ui,Ui,X2,Fi,H'Q, 


(8) 
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where U 2 C Ui and H[ takes the form H[{x,u) = Q(x) x {«}. Let the system C be of the form 

C = (X„ C, b, hk, H,), (9) 

and observe that Yc ^ Ui and X 2 C as C is feedback composable (f.c.) with 82 - Moreover, since 
Xi 7 ^ 0 and Q is strict, the serial composition C o Q is well-dehned, 

CoQ= (Xe, Xe,o, Xi, K, b, Fc, K), 

where iL' takes the form H'^{xc,Xi) = Hc{xc,Q{xi)). 

To prove (i), we hrst observe that the conditions 

X 2 e Q{xi), {u, v) e Hc{xc, X 2 ), Fi{xi,u) = 0 (10) 

together imply Fc{xc,v) = 0. Indeed, it follows from (10) and the requirement (i) in Dehnition V.2 
that F 2 {x 2 ,u) = 0, and our claim follows as C is f.c. with 82 - This shows that C is f.c. with Q o 81 . 
Similarly, let xi G Xi, {u,v) G H'^{xc,xi) and Fi{xi,u) = 0. Then, by the definition of iL', there 
exists X 2 G Q{xi) such that {u,v) G Hc{xc,X 2 ). Then (10) holds, and so Fc{xc,v) = 0 as we have 
already shown. Hence, C o Q is f.c. with 81 , which completes the proof of (i). 

To prove (ii), let {u,X 2 ) G B{C x {Q o 81 )) be dehned on [0;T[, T G N U {cxd}. Then there exist 
maps Xc, xi and v such that (0, (n, u), {xc, xi), {u, X 2 )) is a solution of C x {Q 081 ) on [0; T[. Moreover, 
if additionally T < 00 , then we also have 

F,(a;e(T-l),n(T-l)) =0VFi(a;i(T-l),M(T-l)) = 0. (11) 

By Proposition III.4, {u, u, Xi, X 2 ) is a solution of Q o *S'i on [0; T[, and {x 2 , v, Xc, u) is a solution of C 
on [0;T[. The former fact implies the following: 

Vte[o;r[ a; 2 (t) G Q(a;i(t)), (12) 

Vtg[o;r-i[ a;i(t + 1) e Fi{xi{t),u{t)). (13) 

We claim that (m, m, X 2 , X 2 ) is a solution of 821 so that (0, (n, m), (xc, X 2 ), {u, X 2 )) is a solution of C x 5*2 
by Proposition III.4. First, we observe that F 2 {x 2 (t), u(t)) 7 ^ 0 for every t G [0;T —1[. Indeed, 
{u(t),v(t)) G Hc{xc(t),X 2 (t)) for every such t since {x 2 ,v,Xc,u) is a solution of C on [0;T[. Hence, 
F 2 {x 2 {t).,u{t)) = 0 for some t G [0;T — 1[ implies Fc{xc{t),v{t)) = 0 as C is f.c. with 82 - This is a 
contradiction as Xc(t+1) G Fc{xc(t),v(t)), so F 2 {x 2 (t), u(t)) 7 ^ 0 for every f G [0; T — 1[. Consequently, 
u(t) G Us 2 {x 2 (t)) for all t G [0;T — 1[, so (12), (13) and the requirement (ii) in Dehnition V.2 imply 
that X 2 {t + 1) G F 2 {x 2 (t), u(t)) for all f G [0;T — 1[. This shows that (0, {v,u), {xc,X 2 ), {u,X 2 )) is a 
solution of C X 82 on [0;T[. 

Finally, we see that if T < cxd and u(T — 1) G Us 2 {x 2 (T — 1)), then (12) and the requirement 
(i) in Dehnition V.2 together imply Fi(a;i(T — 1 ),m(T — 1)) 7 ^ 0, and in turn, (11) shows that 
Fc{xc{T — l),v{T — 1)) = 0. Thus, (u,X 2 ) G 13(C x 82 ), which proves (ii). 

To prove (iii), let {u,xi) G B{{C o Q) x 81 ) be dehned on [0;T[, T G NU {cxd}. Then there exist 
maps Xc and v such that (0, {v,u), (xc, Xi), {u,Xi)) is a solution of {C o Q) x 81 on [0;T[. Moreover, 
if additionally T < 00 , then we also have 

F,(a;e(T-l),t;(T-l)) =0VFi(a;i(T-l),M(T-l)) = 0. (14) 

By Proposition HI.4, {u,u,Xi,Xi) and {xi,v,Xc,u) is a solution of 81 and C o Q, respectively. In 
particular, by the dehnition of iL', there exists a map X 2 : [0; T[ —)■ X 2 such that X 2 (t) G Q{xi(t)) and 
{u(t),v(t)) G Hc{xc(t),X 2 (t)) for all t G [0; T[. Then {x 2 , v, Xc, u) and {u, u, xi, X 2 ) is a solution of C and 
Q o 81 , respectively, so (0, (n, u), {xc, Xi), {u, X 2 )) is a solution ofCx{Qo 81 ) by Proposition HI.4. We 
next observe that if T < cxd and Fi(a;i(T —1), m(T —1)) 7 ^ 0, then (14) implies Fc{xc{T — l),v{T — l)) = 
0. This shows that {u,X 2 ) G B{C x {Q o 81 )), and so (iii) follows from (ii). □ 
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Next we show, that feedback rehnement relations are not only sufficient, but indeed necessary for 
the controller rehnement as considered in this paper. 

V. 5 Theorem. Let Si and S 2 be simple systems of the form (7), and let Q Xi x X 2 be a 
striet relation. If for every system C that is feedbaek composable with S 2 follows that C is feedback 
composable with Q o Si and B{C x {Q o S'!)) C B{C x S 2 ) holds, then Q is a feedback refinement 
relation from Si to S 2 ■ 

Proof. In the proof we consider systems QoSi of the form (8). Let C be given by ({0}, {0}, X 2 , {0}, U 2 , Fc, Hf) 
with Fc(0, 0) = 0 and He being strict. Then, C is feedback composable (f.c.) with S 2 , and in turn, C 
is f.c. with Q o S'! by our hypothesis. This implies U 2 C Ui as required in Def. V.2. 

To prove that Q satishes the condition (i) in Def. V.2, we let {xi,X 2 ) G Q and u G 1752 (^ 2 ) and 
show that Fi{xi,u) 7 ^ 0. Let C be given by {{0}, {0}, X 2 , X 2 ,U 2 , Fc, Hf) with Hc{ 0 ,X 2 ) = 
for all X 2 G X 2 and Fc{0,X2) = {0} and Fc{0,X2) = 0 for G X 2 \ {x 2 }- Then C is f.c. with 5'2- 
In particular, the condition (Z) in Dehnition III.3 reduces to F 2 {x 2 ,u) 7 ^ 0. Then C is also f.c. with 
Q o 5i by our hypothesis, and here the condition (Z) implies Fi{xi,u) 7 ^ 0 and the claim follows. 

To prove that Q satishes the condition (ii) in Dehnition V.2, we choose C by ({0}, {0}, X 2 , X 2 , U 2 , Fc, Hf) 
with He and Fc dehned by: if Us 2 {x 2 ) = 0 we set Hc{ 0 ,X 2 ) = U 2 x {X 2 } and Fc{ 0 ,X 2 ) = 0; otherwise 
IIc{ 0 ,X 2 ) = Us 2 {x 2 ) X { 0 : 2 } and Fc{ 0 ,X 2 ) = {0}. With this dehnition of C condition (Z) holds and 
C is f.c. with S 2 , and by our hypothesis, C is also f.c. with Q o Si. Suppose that condition (ii) 
does not hold, then there exist {xi,X 2 ) E Q, u E Us 2 {x 2 ), x'l G Fi{xi,u) and G Q{x'i) such that 
X 2 ^ F 2 {x 2 ,u). Let xi = xix'i and u = uu' with {u',x' 2 ) E Hc{f),x' 2 ). Then {u,u,xi,xi) is a solution 
of Si on [0;2[. Dehne X 2 = X 2 x '2 and observe that {u,u,Xi,X 2 ) is a solution of Q o Si. Let Xc = 00, 
since F 2 (x 2 ,u) 7 ^ 0, we see that {u,X 2 ) E Hc{f),X 2 ) and {0} = Fc{ 0 ,X 2 ). Also {u',x' 2 ) E Hc{f),x' 2 ) by 
our choice of u' and thus {x 2 ,X 2 ,Xc,u) is a solution of C. Hence by Proposition III.4 we see that 
(0, {x 2 ,u), {xc,xi), (u,X 2 )) is a solution of C x (Q o Si). Consider (u,X 2 ) E B(C x (Q o Si)) with 
h|[o; 2 [ = u and L 2 |[ 0 ; 2 [ = X 2 . Since 72(1) ^ -^ 2 ( 72 ( 0 ),7(0)) the sequence (0, (72,7), (7c, 72 ), (7, 72 )) 
cannot be a solution of C x S 2 , and so {it, £ 2 ) ^ B{C x S 2 ). This is a contradiction, which establishes 
condition (ii) in Dehnition V.2. □ 

VI. Symbolic Controller Synthesis 

In this section, we propose a controller synthesis technique based on the concept of feedback 
rehnement relations which resolves the state information and rehnement complexity issues as explained 
and illustrated in Sections I and IV, applies to general speciheations, and produces controllers that are 
robust with respect to various disturbances. We follow the general three step procedure of abstraction- 
based synthesis outlined in Section I, where we focus on the hrst and third steps. Our results will 
be complemented by the computational method presented in Section VIII, whereas the solution of 
the abstract control problem - the second step of the general procedure - is beyond the scope of 
the present paper. Indeed, large classes of these problems can be solved efficiently using standard 
algorithms, e.g. [2]-[6], [17]. 

A. Solution of control problems 

We begin with the dehnition of the synthesis problem. 

VI. 1 Definition. Let S denote the system (3). Given a set Z, any subset S C Z°° is called a 
specification on Z. A system S is said to satisfy a specification T, on U x Y if B{S) C S. Given a 
specification on U x Y, the system C soives the controi probiem {S, S) if C is feedback composable 
with S and the closed loop C x S satisfies S. 

It is clear that we can use linear temporal logic (LTL) to dehne a speciheation for a given system 
S. Indeed, suppose that we are given a hnite set V of atomic propositions, a labeling function 
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L\ U xY and an LTL formula (p defined over V, see e.g. [ 24 , Chapter 5 ]. Then we can formulate 
the control problem [S, S) to enforce the formula p on S using the specihcation 

S = {{u,y) G (f/ X F)^+ I Lo {u,y) satishes p}. 

Our notion of specihcation is not limited to LTL, e.g. “|/(t) = 1 holds for all even t G is not 
expressible in LTL [ 24 , Remark 5 . 43 ], but is a valid specihcation in our framework. 

We are now going to solve control problems using Theorem V. 4 . As we have already discussed, the 
concrete control problem (S'i,Si) will not be solved directly. Instead, we will consider an auxiliary 
problem for the abstraction (“abstract control problem”), whose solution will induce a solution of the 
concrete problem. 

VI .2 Definition. Let Si and S2 be simple systems of the form ( 7 ), let Si be a specifieation on UixXi, 
and let Q C XiX X2 be a striet relation. A specification S 2 on U2 x X2 is called an abstract specification 
associated with Si, S2, Q and Si, if the following condition holds. 

If {u,X2) G S2, where X2 and u are defined on [ 0 ;T[ for some T G NU {cxd}, and if xi\ [ 0 ;T[ — )■ Xi 
satisfies {xi(t), X2(t)) G Q for all t G [ 0 ;T[, then {u,xi) G Si. 

For the sake of simplicity, we write (S'!, Si) (S'2, S2) whenever Si S2 and S2 is an abstract 
specihcation associated with Si, S'2, Q and Si. The result presented below shows how to use a solution 
of the abstract control problem to arrive at a solution of the concrete control problem, resulting in 
the closed loop in Fig. 1 . 

VI .3 Theorem. If (S'!, Si) = 4 q (S'2, S2) and the abstract controller C solves the control problem 

(S'2, S2), then the refined controller C o Q solves the control problem {Si, Si). 

Proof. As C solves (S'2,S2), C is feedback composable with S'2, and hence, C o Q is feedback 
composable with S'! by Theorem V. 4 . 

It remains to show that B{{C o Q) x Si) C Si. So, let {u,Xi) G B{{C o Q) x Si) be arbitrary and 
invoke Theorem V .4 again to see that there exists a map X2 such that {u,X2) G B{C x S'2) and 
{xi{f), X2{f)) G Q for all t in the domain of X2. Then {u,X2) G S2 since C solves (S'2,S2), and the 

dehnition of the abstract specihcation S2 shows that {u,xi) G Si. □ 

B. Uncertainties and disturbances 

We next show that it is an easy task in our framework to synthesize controllers that are robust with 
respect to various disturbances including plant uncertainties, input disturbances and measurement 
errors. In particular, we demonstrate that the synthesis of a robust controller can be reduced to the 
solution of an auxiliary, unperturbed control problem. 

Let us consider the closed loop illustrated in Fig. 4 consisting of a plant given by a simple system 
Si of the form ( 7 ), the perturbation maps Pi, given by strict set-valued maps with non-empty domains 


and a strict quantizer 

Pi-.Ui^Ui, P2-.Xi^Xi, 

P3 ; f/l ^ Vl, Pi-.Xi^ Y2, 

(15) 


Q: Xi^X2. 

(16) 

We seek to synthesize 

a controller given as a system 



C={X„X,,o,X2,V„Ui,F„H,), 

(17) 


to robustly enforce a given specihcation Si on Yi x Y2. 

The behavior of the closed loop in Fig. 4 is dehned as the set of all sequences {yi, 1/2) G (W x ^2)^°’^^, 
T G NU {cxd}, for which there exist a solution {u,u,x,x) of Si on [ 0 ;T[ and a solution {uc,Vc,Xc,yf) 
of C on [ 0 ;T[ that satisfy the following two conditions: 
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For alH G [0; T[ we have 

u{t) G Pfiyfit)), 

Uc{t) G Q{P2{x{t))), 

(18) 


yi{t) G Pfiyfit)), 

1 / 2 (t) G Pfix{t)). 

If T < 00 , then 





Pi(a;(T-l),u(T-l)) = 0, or 

(19) 


Fc{xc{T - 1 ), 

vfiT - 1)) = 0. 



Figure 4. Various perturbations in the closed loop. 

It is straightforward to observe, that the perturbations maps Pi and P 2 may be used to model 
input disturbances and measnrement errors, respectively. We assnme that the nncertainties of the 
dynamics of Si have already been modeled by the set-valned transition fnnction Pi. The controller C 
and the qnantizer Q, which will usnally be discrete, are not snbject to any additional pertnrbations 
either. The maps P 3 and P 4 are useful in the presence of ontput disturbances. For example, the plant 
Si might represent a sampled variant of a continnous-time control system and the specihcation of 
the desired behavior is naturally formulated in continnous time, rather than in discrete time. In that 
context, one can use P 3 and P 4 to “robustify” the specihcation like in [36] snch that properties of the 
sampled behavior carry over to the continnous-time behavior. 

Given some specihcations Si on Yi x Y 2 and Si on Ui x Xi, we call Si a robust specification o/Si 
w.r.t. P 3 and P 4 if for the fnnctions {yc,x,yi,y 2 ) G (Pi x Xi x Yi x T e NU {cxd}, we have 

that 

{yc,x) e Si and Wt&[o-,T[yi{t) G Pfiyfit)),y 2 {t) G Pfix{t)) 

implies (yi, 1 / 2 ) G Si. 

In the following resnlt, we present snfhcient conditions for a controller C to robustly enforce a given 
specihcation Si on the pertnrbed closed loop illustrated in Fig. 4, in terms of the auxiliary simple 
system ^ 1 , 

^i = (Xi,Xi,Pi,Pi,Xi,A,id), .20) 

Fi{x,u) = Fi{x,Pi{u)), 

together with a robust specihcation Si of Si. We show in the snbseqnent corollary, which follows 
immediately by Theorem VI.3, how to use an abstraction (S' 2 , S 2 ) to synthesize snch a controller C. 

VI.4 Theorem. Consider a simple system Si, perturbation maps Pi, i G [1;4], a strict quantizer Q, 
and a controller C as illustrated in Fig. 4 and respectively defined in (7), (15), (16) and (17), and 
assume that Pi is strict. Let Si be a specification on Yi x Y 2 . Let (^i,Si) be an auxiliary control 
problem, where Si follows from Si according to (20) and Si is a robust specification 0 /Si w.r.t. P 3 
and P4. 
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If C o Q, with Q = Q o P 2 , solves the control problem (^ 1 , Ei), then the behavior of the perturbed 
closed loop in Fig. 4 is a subset o/Si. 

Proof. Our assumptions imply that C* o Q is feedback composable with ^ 1 . Using Dehnition III.3, 
Proposition III.4, the strictness of Fi, and the properties (18)-(19), it is straightforward to show that 
{yi, 1 / 2 ) is an element of the behavior of the closed loop in Fig. 4 iff there exists {pc, x) G B{{CoQ)x ^ 1 ) 
satisfying yiit) G Ps^ydt)) and y 2 (t) G P^i^xit)) for all t. Consequently, if {yi,y 2 ) is an element of 
the behavior of the closed loop in Fig. 4, then there exist (yc,x) G Si satisfying yi(t) G Ps^ydt)) and 
y 2 (t) G Pi{x{t)) for all t, and so {yi,y 2 ) G Si by the dehnition of Si. □ 

VI.5 Corollary. In the context of Theorem VI.4, if C solves an abstract control problem (S' 2 , S 2 ) with 
{Si, Si) {S 2 , S 2 ), where X 2 is the state space of S 2 , then the behavior of the closed loop in Fig. 4 
is a subset of Si. 

In the following example we demonstrate that it is crucial to account for the measurement errors P 2 
in terms of the auxiliary quantizer Q = QoPg, as opposed to accounting for those type of disturbances 
in terms of an alternative auxiliary system Si = (Xi, Xi,Ui,Ui, Xi, Fi,id) with Fi given by 

Fi{xi,u) = P 2 {Fi{xi,Pi{u))). (21) 

VI.6 Example. We consider the simple system ^i of the form (7) with the transition function 
illustrated graphically 



The state and input alphabet are given by Xi = {a, b, c, d} and Ui = {0,1}, respectively. Suppose we 
are given the specihcation Si on Ui x Xi dehned implicitly by {u,x) G Si iff d is in the image of x. 
Let us consider the quantizer Q = id and the perturbation maps Pi = P 3 = P 4 = id and P 2 dehned 
by P 2 {a) = {a}, P 2 {b) = P 2 {c) = {b,c} and P 2 {d) = {d}. Let the auxiliary system ^1 coincide with 
Si except the transition function is given by Fi{x,u) = P 2 {Fi{x,u)). 

The controller C oQ, with C given as static system with strict transition function and output map 
He- {0} X Xi =1 Ui X Xi dehned by Hc{0,a) = Hc{0,d) = Ui x {a}, Hc{0,b) = {(l,a)}, Hc{0,c) = 
{(0,a)} solves the control problem (^ijEi). However, {u,x) = ((0, a), (1, c), (1, c), (1, c),...) is an 
element of the behavior of the closed loop according to Fig. 4 and yet violates the specihcation Si. □ 

As the example demonstrates, we cannot rely on the auxiliary system with transition function ( 21 ) 
to synthesize a robust controller but we need a quantizer that is robust with respect to disturbances. 
That is essentially expressed by requiring that C o Q with Q = Q o P 2 solves the auxiliary control 
problem (S'!, Si). Intuitively, we require that the controller C “works” with any quantizer symbol 
X 2 G Q{P 2 {xi)) no matter how the disturbance P 2 is acting on the state xi. Note that in Example VI. 6 , 
the controller C o (idoP 2 ) does not solve the control problem (^i,Si) (which in this case equals 
(^i,Si)). 

Finally, we would like to mention that in the context of control systems, any symbolic controller 
synthesis procedure that is based on a deterministic quantizer is bound to be non-robust. Indeed, 
consider the context of Theorem VI.4 and suppose that Xi = M"", X 2 is a partition of Xi and let ^ 2 ( 2 ^ 1 ) 
equal the closed Euclidean ball with radius e > 0 centered at xi. Let us consider the deterministic 
quantizer Q = E . Then Q = Q o P2 is deterministic only in the degenerate case e = 0. 

VII. Canonical Feedback Refinement Relations 

In this section, we show that the set membership relation G, together with an abstraction whose 
state alphabet is a cover of the concrete state alphabet is canonical. A cover of a set X is a set of 
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subsets of X whose union equals X. 

We show that (S'!, Si) (S'3, S3) implies that there exist (5'2,S2), with X2 being a cover of Xi 
by non-empty subsets, together with a relation R such that the following holds: 

(^i,Si) (^2,S2) (^3,^3). 

This implies that if we can solve the concrete control problem (S'!, Si) using some abstract control 
problem (S'3, S3), then we can equally use an abstract control problem (S'2,S2) with X2 being to a 
cover of Xi by non-empty subsets. Moreover, (S'2, S2) can be derived from the problem (S'3, S3) and 
the quantizer Q alone and is otherwise independent of (S'!, Si). 

A. Canonical abstractions 

VII. 1 Proposition. Let Si and S '2 be simple systems of the form (7), in which X2 is a cover of Xi 
by non-empty subsets and U2 ^ Ui. Then Si S'2 iff the following conditions hold. 

(i) X E fl E X2 implies Us2{^) ^ Us^^x). 

(ii) If E X2, u E Us2{^) and Q' fl Fi{Q, u) 7^ 0, then IV G F2{Il, u). 

The above result, whose straightforward proof we omit, will be used in our proof of the canon- 
icity result. Theorem VII.2. It additionally indicates constructive methods to compute a canonical 
abstraction S'2 of a plant S'! if the abstract state space X2 and the input alphabet U2 FJJi are given. 
From condition (ii) it follows that, if hi G X2, u E U2 and Fi{x,u) 7^ 0 for every x E II, then we 
may either choose F2{Il,u) to be empty, which is of course not desirable^, or ensure that the latter 
set contains every cell hi' that intersects the attainable set Fi{I},u) of the cell hi under the control 
letter u. This can be achieved by numerically over-approximating attainable sets, for which many 
algorithms are available, see e.g. [7] and Section VIII. 

On the other hand, condition (i) requires that F2{Il,u) is empty whenever Fi{x,u) is so for some 
X E II. This raises the question of how to detect the phenomenon of blocking of the dynamics of 
the plant. If the transition function Fi is explicitly given, we assume that its description directly 
facilitates the detection of blocking. In the case that the plant represents a sampled system, so that 
Fl is the time-r-map of some continuous-time control system, blocking can usually be detected in 
the course of over-approximating attainable sets. For example, if an over-approximation W of the 
attainable set Fi{I},u) is computed using interval arithmetic, and if Fi{x,u) = 0 for some x E fl, 
then W will be unbounded, e.g. [37, Chapter II.3], which is easily detected. 

B. Canonicity result 

Before we state and prove the canonicity result, we introduce a technical condition that we impose 
on the feedback rehnement relation Q from (S'!, Si) to (S'3, S3), i.e., 

(C) if 0 7^ Q~^{x) = Q~^{x), 0 7^ Q~^{x') = Q~^{x'), x' E F^{x,u), and u E Us^^ix), then x' E 
F^{x,u). 

We point out that condition (C) is not an essential restriction and it actually holds for a great 
variety of abstractions and relations. For example, it automatically holds if the abstraction S'3 is 
dehned as a quotient system [2, Dehnition 4.17]. In that case, the elements of X3 correspond to 
the equivalence classes of an equivalence relation on Xi. Therefore, we have that Q~^{x) = Q~^{x) 
implies x = x and condition (C) is trivially satisfied. Similarly, relations that are based on level 
sets of simulation functions V : Xi x X3 —)■ M+ with Xi,X3 C M"-, see e.g. [18], for popular choices 
of simulation functions like V{xi,xf) = a /{xi — X'iYP{xi — xf) with P being a positive dehnite 

^One should always choose F 2 pl,u) 7 ^ 0 , since it enlarges the set of control letters available to any abstract controller and 
thereby facilitates the solution of the abstract control problem. 
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matrix, where x'^ denotes the transpose of x, satisfy (C). In this case, the relation is given by 
Q = {(a;i,a;3) G Xi x X3 | V{xi,X3) < e} and again Q~^{x) = Q~^{x) implies x = x and we 
conclude that (C) holds. Lastly, the condition (C) also holds, for the case that Q is given and the 
abstraction S 3 is computed using a deterministic algorithm to over-approximate attainable sets. This 
is immediate from the following reformulation of the condition (ii) in Dehnition V.2: If X 2 ,X 2 G X 2 , 
u G 1 / 52 ( 2 ^ 2 ), and Q~^{x 2 ) (1 Fi{Q~^{x 2 ),u) ^ 0, then x '2 G F 2 {x 2 ,u). 

VII .2 Theorem. Let { 83 , 1 ^ 3 ) be a control problem, in which S3 is simple and of the form (7). Let 
Xi be any set, and assume that Q: Xi ^ X 3 satisfies the condition (C). 

Then there exist a simple system S 2 of the form (7), a relation R F X 2 x X 3 and a specification S 2 
on U 2 X X 2 such that the following holds. 

(*) If {Si,Ti) =4 q (>S' 3 , S 3 ) and the system Si has state space Xi, then (S'!, Si) (S' 2 ,S 2 ) 

{S3, S3) and X 2 is a cover of Xi by non-empty subsets. 

Proof. We will prove that (*) holds for the following choices of S 2 , R and S 2 : 

X 2 = = Aa;GX 3 }, R{Q) = {x e XslQ = Q-\x)}, U2 = U3, F 2 {Vl,u) = 

R~^{F 3 {R{SL),u)), and {u,SL) G {U 2 x X 2 )°° is an element of S 2 iff there exists {u,X 3 ) G S 3 satisfying 
{SL{t), X 3 {t)) G R for all t in the domain of u. 

To establish (*), assume that (S'!, Si) =^q { 83 , 8 . 3 ). Then Q is strict, which already proves our 
claim on X 2 , and Si is simple, and so we can assume that Si takes the form (7). 

To prove Si 82 , we first notice that the condition (i) in Proposition VII. 1 is satished. Indeed, 
let xi E fl E X2 and u G Us2{^)- By our choice of F2 and R, there exists X3 satisfying (a;i,a;3) G Q 
and u G Us3{x3). Then u E Usi{xi) by Def. V.2 applied to ^i S3. To establish the condition (ii) 
in Prop. VII.1, we let 12,12' G X 2 and u G Us2{Il) and assume that 12' fl Fi{fl,u) 7 ^ 0. By the latter 
fact there exist Xi G 12 and x[ G 12' fl Fi{xi,u), and u E Us2{I^) implies that there exists X3 such that 
12 = ^“^(0:3) and u E Us,,,{x3). We pick x'3 satisfying 12' = Then (a;i,a;3), {x'i,x'3) G Q, and 

so Si R,q S3 implies x'3 G Q{x'i) C F3{x3,u). Hence, 12' G F2{Q,u) by our choice of F2. This proves 
^ 2 . 

To prove S2 S3, let (12,Xg) G R and u E 7/53(xg) and pick any Xi E 12. Then (a;i,a;3) G Q by 
our choice of R, and using Si S 3 we obtain u E Usj^{xi). The latter fact implies that there exists 

x'l E Fi{xi,u), and using Si S3 again we see that Q{x'i) C F 3 {x 3 ,u). Since Q is strict we may 

pick x '3 G Q{x'i). Then /^“^(x'g) 7 ^ 0, and hence, u G Us 2 {Il) by the dehnition of F 2 , which proves 
the condition (i) in Dehnition V.2. To prove the condition (ii) in that dehnition, let (12, xg) G R, 
u E 7/53 (xg) and 12' G F 2 {fl,u). Then 12' G R~^{F 3 {fl,u)), so there exist X 3 and x'^ G F 3 {x 3 ,u) 
satisfying 12 = Q~^{x3) and 72' = ^“^(xg). Then condition (C) implies x '3 G F3{x3,u), and in turn, 
R{n')FF 3 {x 3 ,u). 

To complete the proof, we notice that, by the dehnition of S 2 , Sg is an abstract specihcation 
associated with 82 , S3, R and S 2 , which shows ( 5 * 2 , S 2 ) ^r {83,83). Finally, to prove (S'!, Si) 

( 5 * 2 , S 2 ), let {u, 72) G Si, assume that u is dehned on [0; T[, and let Xi: [0; T[ —)■ Xi satisfy Xi{t) G 72(t) 
for all t E [0;T[. Then, by the dehnition of S2, there exists {u,X 3 ) G Sg such that R{Q{t)) = {2:3(7)} 
for all t E [0;T[. The latter condition implies (xi ( 7 ), 2:3(7)) G Q, and (S'i,Si) S.q (5*3, S3) implies 
{u, Xi) E Si. □ 


VIII. Computation of Abstractions 
FOR Perturbed Sampled Control Systems 

In the previous section we have seen that the computation of abstractions basically reduces to the 
over-approximation of attainable sets of the plant. A large number of over-approximation methods 
have been proposed which apply to diherent classes of systems, e.g. [2], [7], [38]-[40]. In this section, 
we present an approach to over-approximate attainable sets of continuous-time perturbed control 
systems, based on a matrix-valued Lipschitz inequality. 
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A. The sampled system 

Let us consider a perturbed control system of the form 

X E f{x, u) + W (22) 

with f : MT X U ^ M”, U C and W C M"-. We assume throughout this section that U is 
non-empty, W contains the origin, and that f{-,u) is locally Lipschitz for all u E U. We use the set 
W to represent various uncertainties in the dynamics of the control system (22). 

For r G M+ and an interval / C [0, r], a solution of (22) on I with (constant) input u E U is dehned 
as an absolutely continuous function R” that satishes f(t) E f {fit), u) + W for almost every 

(a.e.) t E I. We say that f is continuable to [0,r] if there exists a solntion f of (22) on [0,r] with 
input u E U such that ^|/ = ^. 

We formulate a sampled variant of (22) as system as follows. 

VIII.1 Definition. Let Si be a simple system of the form (7), and let r > 0. We say that Si is the 
sampled system associated with the control system (22) and the sampling time r, ifXi = R”, Ui = U and 
the following holds: Xi E Fi{xq,u) iff there exist a solution f of (22) on [0,r] with input u satisfying 
.^(0) = xo and fir) = xi. 

In the sequel, ip denotes the general solution of the unperturbed system associated with (22) for 
constant inputs. That is, if Xq E R”, u eU, and f{-,u) is locally Lipschitz, then p{-,xo,u) is the 
nnique non-continuable solntion of the initial value problem x = f{x,u), a;(0) = Xq [37]. 

Similar to other approaches [14], [15] to over-approximate attainable sets that are known for 
unperturbed systems, onr compntation of attainable sets of the perturbed system is based on an 
estimate of the distance of neighboring solutions of ( 22 ). 

VIII.2 Definition. Consider the sets K C R”, U' U and the sampling time r > 0. A map 
(3: R” X f/' —)■ R” is a growth bound on K, U' associated with r and (22) if the following conditions 
hold: 

(i) f3{r, u) > I3{r', u) whenever r >r' and u E U', 

(a) [0,r] X K X U' dom^? and if f is a solution of (22) on [0,r] with input u E U' and ^(0),p E K 
then 

|^(r) - p{t,p,u)\ < /3(|^(0) -p|,u) (23) 


holds component-wise. 

Let us emphasize some distinct features of the estimate (23). First of all, we formulate the 
inequality (23) component-wise, which allows to bonnd the difference of neighboring solntions for 
each state coordinate independently. Second, /9 is a local estimate, i.e., we reqnire (23) to hold only 
for initial states in K. Moreover, (3 is allowed to depend on the input, but these inputs are assumed 
to be constant, and we do not bound the effect of different inpnts on the distance of the solutions. 
All those properties contribute to more accurate over-approximations of the attainable sets. This, in 
turn, leads to less conservative abstractions; see our example in Section IX-A. Note that it is also 
immediate to acconnt for extensions like time varying inpnts and using different sampling times. 


B. The abstraction 

We continne with the construction of an abstraction S 2 of the sampled system Si. The state 
alphabet X 2 of the abstraction is defined as a cover of the state alphabet Xi where the elements of 
the cover X 2 are non-empty, closed hyper-intervals, i.e., every element X 2 E X 2 takes the form 

|a, 6] = R” n ([ai, &i] X • • • X [a^, 6„]) 
for some a,b E (R U {±cxd})”, a < b. 
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Our notion of hyper-intervals allows for unbounded cells in X2. Nevertheless, in the computation 
of the abstraction S 2 , we work with a subset X 2 C X 2 of compact cells. We interpret the cells in X 2 
as the “real” quantizer symbols, and the remaining ones, as overflow symbols, see [7, Sect. III.A]. 

VIII.3 Definition. Consider two simple systems Si and S2 of the form ( 7 ), a set X2 ^ ^2 and a 
function ( 3 : x U2 ^ M”. Given r > 0 , suppose that Si is the sampled system associated with (22) 

and sampling time r. We call S2 an abstraction of Si based on X2 and ( 3 , if 

(i) X2 is a cover of Xi by non-empty, closed hyper-intervals and every element X2 G X2 is compact; 
(tt) U 2 C Ui; 

(Hi) for X2 G X2, x'2 G X2 and u &U2 we have 

((fir, c, u) + |-r', r'l) n x'^ ^ ij) ^ x'2 E ^ 2 ( 0 : 2 , u), (24) 

where |a, &] = X2, c = r = ^ and r' = / 3 {r, u); 

(iv) F2 {x2, u) = (/) whenever 0:2 G X2 \ X2, n G 172 - 

Note that the implicit dehnition of the transition function F2 according to (iii) in Dehnition VIII.3 
is equivalently expressible as follows. Let u E U2 and |a, 6] G X2, then |a', b'J E X2 has to be an 
element of 72 (|a, &] , u) if 

a' — r' < (p{t, c, u) < b' -\- r' 

holds, where c, r and r' are as in Dehnition VIII.3. 

We illustrate the transition function F 2 {x 2 ,u) of an abstraction in Fig. 5. 



Figure 5. Illustration of the transition function of an abstraction. 


VIII.4 Theorem. Consider two simple systems Si and S 2 of the form (7) and a set X 2 F X 2 , and 
let T > 0. Suppose that Si is the sampled system associated with (22) and sampling time r. Let (3 be 
a growth bound on U,,,^^x^X 2 , U 2 associated with r and (22). If S 2 is an abstraction of Si based on X 2 
and (3, then Si S 2 . 

Proof. To verify the condition (i) in Proposition VII.1 hrst note that Us 2 {x 2 ) = 0 if 0:2 G X 2 \ X 2 by 
our assumption on S2. On the other hand, if Xi E X2 E X2, then U2 F Us^{xi) by our assumption on 
(3, so the condition (i) in Proposition VII. 1 is satished. To verify the requirement (ii) in Proposition 
VII.1, assume that X 2 ,X 2 E X 2 and u G Us 2 {x 2 ). Then X 2 E X 2 by our assumption on S 2 , so 
X 2 = |c — r, c -|- r] for some c, r. Moreover, if additionally xi E X 2 and X 2 0 Fi{xi,u) 7 ^ 0 , then by 
Dehnition VIII.1 there exists a solution [0,r] —)■ of the system (22) with input u satisfying 
.^(0) = Xi and f{T) E x' 2 . It follows that |.^(0) — c| < r, and hence, — (p{T,c,u)\ < r'. Then (24) 
implies that x '2 G F 2 {x 2 ,u). An application of Proposition VII. 1 completes the proof. □ 

As seen from the above proof, the set (p{T,c,u) + |—'r',r'] in (24) over-approximates the at¬ 
tainable set Fi(|a, 6 ],m). The approximation error, which greatly inhuences the accuracy of the 
abstraction, can be reduced by working with smaller cells |a, bj. However, the accuracy can also be 
improved without rediscretizing the state space Xi, by covering cells |a, 6] G X 2 by compact hyper¬ 
intervals 7 i -|- \—pi,Pi\ with Pi < r, i E I, and then using, in place of the premise in (24), the test 
(<^(r,7j,M) + l-i3{pi,u),/3{pi,u)j)nx'2 ^ 0. 
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C. A growth bound 

In this subsection we present a specific growth bound for the case that / is continuously differen¬ 
tiable in its first argument and the perturbations are given hy W = |—tc, ta] for some w G . In the 
following proposition, we use Djfi to denote the partial derivative with respect to the jth component 
of the first argument of /*. 

VIII.5 Theorem. Let r > 0 and let f, U and W he as in (22) with W = |—w, tc] for some w G . 
Let Lf Lf and assume in addition that f{-,u) is continuously differentiable for every u G U'. 
Furthermore, let K F K' with K' being convex, so that for any u G U', any r' G [0,r] and any 

solution f, on [0,r'] of (22) with input u and .^(0) G K, we have f,{t) G K' for all t G [0,r']. Lastly, 
let the parametrized matrix L: U' ^ satisfy 

{x,u)\, otherwise 

for all X E K' and all u G U'. Then any as above is continuable to [0,r], and the map /3 given by 

l3{r, u) = r + [ w ds 

Jo 

is a growth bound on K, U' associated with r and (22). 

Theorem VIII.5 can be applied quite easily for obtaining growth bounds. Firstly, the computation 
of an a priori enclosure K' to solutions of (22) is standard, e.g. [41] and the references therein. 
Secondly, the parametrized matrix L requires bounding partial derivatives on K'. Such bounds can 
be computed in an automated way using, e.g., interval arithmetic [42]. Finally, given L, the evaluation 
of the expression for (3 is straightforward. We emphasize, however, that Theorem VIII.5 provides only 
one of several methods to over-approximate attainable sets. Any over-approximation method can be 
used to compute abstractions based on feedback refinement relations. 

Having a growth bound at hand, the application of Theorem VIII.4 becomes a routine task. 
Examples are presented in the next section. 

For the proof of Theorem VIII.5 we need the following auxiliary result, which appears in [43] 
without proof. 

VIII.6 Lemma. Let r > 0 and A C Let [0,r] -E A, i E {1,2}, be two perturbed solutions 
of a dynamical system with continuous right hand side /: R” —)■ R”, i.e., the maps are absolutely 
continuous and satisfy 

- f{^i{t))\ < Wi{t) for a.e. tE [0,r], 

where Wi : [0, r] —)■ R”, i E (1, 2}, are integrable. Consider a matrix L E with Lij > 0 for i j 
and suppose that for all x,y E A we have 

E TX 

- yf. (25) 

Let p: [0,r] —)■ R” be absolutely continuous and satisfying 

pit) = Lp{t) + Wi{t) + W2it) 

for a.e. t E [0,r]. Then ki(0) —.^ 2 ( 0)1 < p(0) implies ki(t) —.^ 2(^)1 < p(b for every t E [0,r]. 

Proof. Let p: [0,r] —)■ R” be absolutely continuous such that p(0) = p(0) and p'ft) = Lpft) Pwift) -|- 
W 2 it) -f e for some e E (R+ \ {0})"' and a.e. t E [0,r]. We shall prove that 

\ut)-ut)\<m 


( 26 ) 
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holds for all t G [0,r], so that the lemma follows from a limit argument. To this end, denote the 
function — ^2 — p on [0,r] by 2 ; and let to = sup{t G [0,r] | Vsg[o,t] 2 :(s) < 0}. Then to > 0 as 
ki( 0 ) —'^ 2 ( 0 )I < p( 0 ), and since we can interchange the roles of .^1 and ^2 if necessary, we may assume 
without loss of generality that (26) holds for all t G [0,to]- If remains to show that to = '?’• 

Assume that to < r. Using (26), a continuity argument shows that we may choose t 2 G ]to,T] and 
i G [l;n] snch that Zi{t 2 ) > 0, Ziito) = 0 and 

, Li^jpj(t) > Ljj|(^ij(t) — ^2,j(t)\ (27) 

j=i ^ —/j=i 

for all t G [to,t 2 ]. Dehne ti = snp{t G [to,t 2 ] | Zi{t) < 0} and note that Zi(ti) = 0 as Zi is continnous. 
The ineqnality z'^it) < — fi{^ 2 (t)) + wi^i(t) + W 2 ,i(t) —p'iit) for a.e. t G [ti, t 2 ] and the dehnition 

of p then imply that 

pt2 ^ 

Zi{t 2 ) < / (/i(b(f)) - /i( 6 (f)) - ^Lijpj{t) - e^)dt. 

Jti 

Thus, Zi(t 2 ) < 0 by (27) and (25). This contradicts onr choice of t 2 , and so to = t. □ 

Proof of Theorem VIII.5. Fix p ^ K, u ^ U' and note that P{r,u) > I3{r',u) if r > r' as all entries 
of eW'T are non-negative [44, Th. 7.7]. Next, we show that condition (ii) in Dehnition VIII.2 holds. 
In order to apply Lemma VIII.6 we shall establish (25) for K', f{-,u) and L{u) in place of A, f 
and L. Indeed, by the mean valne theorem, there exists z & {x + t{y — x)\t G [0,1]} such that 
fi{x,u) — fi{y,u) = ~ Vj)- Hence, by the dehnition of L, we obtain (25). Now, 

let be a solntion on [0,r] of (22) with input u such that .^(0) G K. By Filippov’s Lemma [45], 
there exists an integrable map s: [0,r] —)■ hF snch that fit) = f{f(t),u) + s(t) for a.e. t G [0,r]. So, 
apply Lemma VIIL6 to f{-,u), K', f, 0, w and L{u) in place of /, A, fi, ^ 2 , wi, W 2 and L, 

respectively, to obtain \f{T) — (p{T,p,u)\ < /9(|.^(0) — p\,u). 

Finally, suppose there exists f: [0, r'] —)■ K' as in the statement of the theorem that is not continuable 
to [0,r]. Then, there exist to G [0,r] and a solntion f-. [0,fo[ —t M” of (22) with inpnt u snch that 
■Clfo.T'] = f and fit) becomes nnbonnded as t E [0,fo[ approaches to [46]. On the other hand, applying 
Lemma VIIL 6 to f{-,u),Kf ^|[o,t], ^(0), w, |/(^(0),n)|, L{u) and t in place of /, A, ^ 1 , ^ 2 , wi, W 2 , L 
and r we conclnde that \fit) — ■^(0)1 is uniformly bounded for t G [0, fo[, which is a contradiction. □ 

D. The Case of Periodie Dynamies 

Occasionally we will have to consider continuous-time control systems of the form ( 22 ) whose 
dynamics are periodic, i.e., f{f + p, •) = /(^, •) for some period p E MA \ {0} and all f G M”. Our 
result below shows how to exploit periodicity to obtain abstractions that are hnite and yet are capable 
of reproducing solutions that are unbounded in the direction of the period. This is useful, e.g. when 
one of the components of the state represents an angle and the number of full loops is potentially 
unbounded; see Section IX-A for an example. 

VIII.7 Theorem. Let pi,... ,p£ G M”, £ G N, be sueh that f in (22) satisfies f{x + Pi,u) = f{x,u) 
for all i G [l;f'], a; G M” and u E U. Consider systems Si and S 2 of the form (1), where U 2 C Ui and 
Si is the sampled system assoeiated with (22) and sampling time r > 0. Define the map tt: Xi Xi 

by n{x) = |a; -|- ^iPi ^ ^ let R be a set of non-empty subsets of Xi sueh that X 2 = 

{ 7 r(r 2 ) I D G /?} and X 2 is a eover of Xi. 

Then Si S 2 iff the following eonditions hold: 

(a) X E fl E R implies Us 2 ic{C)) C Us^iyX). 

(b) If Q,Q' E R, u E Us2 {7^{D.)) and 7 r(r 2 ') fl Fi{Q, u) 7 ^ 0, then 7r{Q') E F2{7r{Q),u). 

Obviously, the transition function F 2 of the system S 2 can be computed by over-approximating 
attainable sets Fi{fl,u) as detailed in Sections VILA, VIII-B and VIII-C, and by verifying the 
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condition (O' + Yli=i^iPi) ^ Fi{Q,u) ^ 0, for O, O' G -R with O being compact, and finitely many 
k e Zb 

Proof. First observe that Fi{x, u) + {k\p) = Fi{x+ {k\p ), u) for all k G Z^, a; G Xi and u G Ui, where 
{k\p) = Yl\=i ^iPi- Then Usi{x + {k\p)) = Usi{x) for all a; G Xi and all k G Z^, which shows that 
the condition (i) in Proposition VII. 1 is equivalent to (a). We shall show that the condition (ii) is 
equivalent to (b), which proves the theorem. 

If O, O' G i?, M G f/s'2('7r(0)) and 7r(0') fl Fi(0, u) ^ 0, then 7r(0), 7r(0') G X 2 and O C 7r(0), and so 
(ii) shows that 7r(0') G F2{7r{Q),u). Conversely, if 0,0' G X 2 , u G 1/52(0) and 0'nFi(0,M) ^ 0, then 
there exist 0o,0g G R satisfying O = 7r(0o) and O' = 7r(0Q). Hence, 7r(0Q) fl {{k\p) + Fi(Oo,m)) 7^ 0 
for some k G Z^, and since 7r(0'Q) = 7r(0Q) + {k\p) we have 7r(0g) fl Fi{Qq,u) 7^ 0. Then (b) shows 
that O' G F2(0,m), which completes the proof. □ 

IX. Examples 

In this section, we demonstrate the practicality of our approach on control problems for nonlinear 
plants. 


A. A path planning problem for an autonomous vehicle 

We consider an autonomous vehicle whose dynamics we assume to be given by the bicycle model in 
[47, Ch. 2.4]. More concretely, the dynamics of the system are of the form (22), where f: x U ^ 

is given by 

( Ml cos(q; + Xs) cos(q;)“^\ 

Ml sin(Q; + xs) cos(q;)“^ 

Mitan(M 2 ) J 

with U = [—1,1] X [—1,1] and a = arctan(tan(M2)/2). Here, (a;i,a; 2 ) is the position and X 3 is the 
orientation of the vehicle in the 2-dimensional plane. The control inputs mi and M 2 are the rear 
wheel velocity and the steering angle. Perturbations are not acting on the system dynamics, i.e., 
W = {(0,0,0)}. 

The concrete control problem is formulated with respect to the sampled system Si associated with 
(22) and sampling time r = 0.3. The control objective is to enforce a certain patrolling behavior on 
the vehicle which is situated in a maze; see Fig. 6. Specifically, the vehicle, whose initial state is Hi 0 = 
{(0.4, 0.4, 0)}, should patrol inhnitely often between the target regions Hi^ri = [0,0.5] x [0,0.5] x M 
and Hi 1.2 = (9, 0, 0) -|- Hin, while avoiding the obstacles Hi a. The third component of Hi a equals M. 
We formalize our concrete control problem through the pair [Si, Si) with the specihcation Si defined 


{{u,x) G (El X Xi)^+ I a;(0) G Hi^o ^ / 2 g\ 

VteZ+(a^(/) ^ Hi^a A Vjg{i^2}3i'g[t;ooH(/0 ^ 

where Ui = U and Xi = To solve (S'i,Si) we solve an abstract control problem (S' 2 ,S 2 ) as 
detailed below. 

As / possesses the period p = (0, 0, 27r) we construct a canonical abstraction S 2 of the form (7) 
using Theorem VHI.7, where R consist of the shifted copies of the hyper-interval 

[“To’ To] ^ [“To’ To] ^ [“ 35 ’ 35] ’ 


whose centers form the set X [0;50] x X (Q; 50] x || [—17; 17], and of the hyper-intervals {x G | 
Xj > 10.1}, {x G I Xj < -0.1}, j G {1, 2}. Set U 2 = {0, ±0.3, ±0.6, ±0.9} x {0, ±0.3, ±0.6, ±0.9}, 
and let X 2 be as in Theorem VHI.7. The transition function F 2 is computed according to the 
remark following Theorem VHI.7, in which ± 2 ( 2 ^ 2 , «) = 0 if {x 2 ,u) G X 2 x U 2 , X 2 H Hi^a 7 ^ 0- The 
required growth bound P on U 2 associated with r and (22) is obtained using Theorem VHI.5. In 
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particular, I3{r,u) = where L is given by Li^ 3 (ui,M 2 ) = -^ 2 , 3 (^ 1 ,M 2 ) = |MiA/tan^(M 2)/4 + 1|, 

and Lij{ui,U 2 ) = 0 for (i, j) ^ {(1,3), (2,3)}. 

The computation of F 2 takes 2.25 seconds (Intel Core i7 2.9 GHz) resulting in an abstraction having 
37266181 transitions. 

To construct the abstract specihcation E 2 we let ^ 2,0 = {^2 G X 2 | 0:2 H Ai^q 7 ^ 0}, H 2 ,ri = {^2 G 
X 2 \ X 2 F i G {1,2} and H 2 ,a = {x 2 G X 2 | 0:2 fl 7 ^ 0}; see Fig. 6 . We dehne S 2 by (28), 

where we substitute Hi, Xi, Hi^o, ^i,r 2 ) ^i,a with U 2 , X 2 , ^ 2 , 0 , ^ 2 ,ri, ^ 2 ,r 2 ) ^ 2 ,a, respectively. 

It is straightforward to verify that S 2 is an abstract specihcation associated with Si, S 2 , G and Si. 

The abstract problem {S 2 , S 2 ) can be solved using the algorithm in [ 6 , Fig. 1], which simplihes here 
to two rather than three nested hxed-point iterations since for our problem the general reactivity (1) 
specihcation in [ 6 ] reduces to uZ.ni^{i^ 2 }lAA-{OYU{A 2 ^riAOZ)), where ©H = {x G X 2 | 7 ^ F 2 {x, u) C A}. 

We actually use a Dijkstra-like algorithm [48] for the inner hxed-point to successfully solve ( 5 * 2 , S 2 ) 
within 0.54 seconds. The solution is rehned to a solution of (S'!, Si) by adding a static quantizer; see 
Theorem VI.3. A similar problem with considerably less complex specihcation is solved in [14], where 
the run times in seconds are 13509 (abstraction) and 535 (synthesis) on Intel Core 2 Duo 2.4 GHz. 

We would like to discuss two of the advantages of the growth bounds we have introduced in Section 
VHI. As we already mentioned, /5 bounds each component of neighboring solutions separately, which 
can be directly seen by the formula /3{r, u) = r + r^- Li^s^ui, U 2 ) -(r, r, O)"*^. This distinguishes (3 from 
an estimate based on a norm. Moreover, /3 depends on the input, which is crucial for the present 
example. Indeed, the function where supL G is given by (supL)jj = sup^gfi^ 

is also a growth bound on U 2 associated with r and ( 22 ), which leads to an abstraction with 
43288873 transitions. However, due to the poor approximation quality of this growth bound we 
obtain an unsolvable abstract control problem. 


B. An aircraft landing maneuver 

We consider an aircraft DC9-30 whose dynamics we model according to [49]. We use xi,X 2 ,X 3 to 
denote the state variables, which respectively correspond to the velocity, the flight path angle and the 
altitude of the aircraft. The input alphabet is given by H = [0,160 ■ 10^] x [0°, 10°] and represents the 
thrust of the engines (in Newton) and the angle of attack. The dynamics are given by /: x H —)■ 

/ Y(^uicosu2-D{u 2, xi)-mg sin X2)\ 

/(^>“) = + L{u2,Xi) - mg cos X2) , 

y a;isina ;2 / 

where D{u 2 ,Xi) = (2.7 -|- 3.08 ■ (1.25 -|- 4.2 ■ ^ 2 )^) • x\, L{u 2 ,Xi) = ( 68.6 ■ (1.25 -|- 4.2 • U 2 )) ■ xf and 
mg = 60 ■ 10^ • 9.81 account for the drag, lift and gravity, respectively [49]. 

We consider the input disturbance Pi: U =1 H given by Pi( m) = (m- 1 -[—5 • 10^, 5 • 10^] x [—0.25°, 0.25°])n 
U and measurement errors of the form P 2 : =1 given by p^i^x) = X + X [-0.25,0.25] X 

A [—0.05°, 0.05°] X A [— 1 ^ 1 ], We do not consider any further disturbances, i.e., we let W = {(0, 0, 0)}, 

P 3 = id, and P 4 = id. 

The concrete control problem is formulated with respect to the sampled system Si = (Xi, Xi, Pi, Pi, Xi, Pi, 
associated with (22) and the sampling time r = 0.25. We aim at steering the aircraft from an altitude 
of 55 meters close to the ground with an appropriate total and horizontal touchdown velocity. More 
formally, the specihcation Si is given by 


Si = {(M,a;) G (Pi X Xi)^+ | a;(0) G Aq ^ 

(3sgZ3_ 3^(>s) G Ay- A xit') ^ Ag,) J" , 

where I = [-3°,0°], Aq = [80,82] x [-2°,-1°] x {55}, 

Ag = M3\([58,83] x/x [0,56]), 

Ar = ([63, 75] X / X [0, 2.5]) n {x G M^|a;i sin 0:2 > -0.91}. 



Reissig, Weber, and Rungger 


Feedback Refinement Relations for the Synthesis of Symbolic Controllers 


24 



0 5 10 


Figure 6. Projection of the states of and S 2 to x {0}. The sets and are indicated in dark blue and in 

red, respectively. The states in A 2 ,a and ^2,ri,4l2,r2 are indicated in blue and in light red, respectively. A closed-loop trajectory 
of the concrete control problem is shown evolving from to in the blue part and vice versa in the green part. 

As detailed in Section VI-B, the pertnrbed control problem is solved throngh an anxiliary unpertnrbed 
control problem. To begin with, dehne the simple system Si by (20) with Ui = U. Next, let X be a 
cover of formed by snbdividing \ Aa into 210 ■ 210 ■ 210 hyper-intervals, and snitable nnbonnded 
hyper-intervals. Dehne X 2 = {P 2 ”^(^) | G X} and let X 2 be the snbset of compact elements of X 2 
that do not intersect A^. Dehne the abstraction for ^1 as the simple system S 2 given by (7), where 
U 2 = {0,32000} X 7 /', U' contains precisely 10 inpnts eqnally spaced in [0°,8°]. We apply Theorem 
VIII.5 with w = M(5000, 0.25°)^ < (0.108,0.002,0)^ and a snitable a priori enclosnre K' to obtain 
a growth bonnd, where M G satishes Mjj > \Dj^ 2 fi{.x,u)\ for all x E K' and u G Pi{U 2 ). Here, 
Dj, 2 fi stands for the partial derivative with respect to the jth component of the second argument of 
fi- Note that w accounts for the perturbation Pi. Then, we use Theorem VIII.4 to compute P 2 such 
that S 2 . The computation takes 674 seconds resulting in an abstraction with about 9.38 ■ 10® 

transitions (Intel Xeon E5 3.1 GHz). 

To construct the abstract specihcation S 2 for S2 we let ^ 2,0 = {^2 G X 2 | 0:2 G Ai 0 7 ^ 0}, A2,a = 
{x2 G X2 \ X2A Apa 7 ^ 0}, A2,r = {^2 G X 2 | 0:2 C Ai^r} and dehne the specihcation S2 by (29) with 
P 2 , X 2 , A 2 ,o, A 2 ,r, A 2 ,a in placc of Pi, Xi, Ao, A^, Aa. It is easy to verify that S 2 is an abstract 
specihcation associated with ^ 1 , 5 * 2 , G and Ei. Note that E 2 (as well as Ei) is a particular instance 
of a reach-avoid specihcation. Using a standard technique [48], the abstract control problem (S' 2 , E 2 ) 
is successfully solved within 26 seconds. By Corollary VI.5 the behavior of the perturbed closed loop 
is a subset of Ei. See Fig. 7. 

We proceed to make some comments on solving perturbed control problems. At hrst. Theorem 
VHL5 allows to deal with time-varying input perturbations, when the theorem is applied as in this 
example. Second, accounting for measurement errors only requires inhating the cells that would have 
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been used if measurement errors were not present. To conclude, perturbed control problems can be 
solved in our framework by using canonical abstractions. 



Figure 7. Time evolution of the altitude of the aircraft in the closed loop. The aircraft pitch U 2 + X 2 is indicated for 8 instants 
of time. 


X. Conclusions 

We have presented a novel approach to abstraction-based controller synthesis which builds on the 
concept of feedback rehnement relation introduced in the present paper. Our framework incorporates 
several distinct features. Foremost, the designed controllers require quantized (or symbolic) state 
information only and are connected to the plant via a static quantizer, which is particularly important 
for any practical implementation of the controller. Our work permits the synthesis of robust correct- 
by-design controllers in the presence of various uncertainties and disturbances, and more generally, 
applies to a broader class of synthesis problems than previous research addressing the state information 
and rehnement complexity issues as explained and illustrated in Sections I and IV. Moreover, we do 
not assume that the controller is able to set the initial state of the plant, which is also important in 
the context of practical control systems. 

We have additionally identihed a class of canonical abstractions, and have presented a method to 
compute such abstractions for perturbed nonlinear control systems. We utilized numerical examples 
to demonstrate the applicability and efficiency of our synthesis framework. We emphasize, however, 
that the computational effort is still expected to grow rapidly with the dimension of the state space 
of the plant, a problem that is shared by all grid based methods for the computation of abstractions. 
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